THE CHALLENGE

With an increase of credit card data breaches in recent years, protection of credit card information is top of mind both for organizations and customers. To better protect payment card data, the Payment Card Industry Data Security Standard (PCI DSS) was established to create a set of security regulations that govern the protection of this data for all organizations that accept, process, store, or transmit credit card information. Failure to comply with the established security standards can result in serious fines and a tarnished reputation.

A large healthcare system was notified that it is now required to report compliance as one entity, rather than separate small business units (individual gift shops, parking garages, pharmacies, etc.). Since level of responsibility is based on the number of yearly credit card transactions, this consolidation increased their responsibility of reporting.

The healthcare system was only given a year and a half to become compliant at the new level, but with only one employee handling this effort, additional support was needed. Through existing relationships, the client learned of Sendero’s experience with PCI Compliance and requested assistance.

With an increase of credit card data breaches in recent years, protection of credit card information is top of mind both for organizations and customers.

OUR APPROACH

Sendero worked with the existing PCI Lead to perform a current state assessment and remediate gaps.

This assessment included:

  • Interviewing the 22 managers of entities accepting card payments, including gift shops, retail pharmacies, and parking garages to better understand their current processes and policies
  • Evaluating 11 third-party payment applications used to capture payment information in the different lines of business

After gathering the current-state information, the findings were compared against the PCI DSS regulations to identify the gaps needing remediation.

Through existing relationships, the client learned of Sendero's experience with PCI Compliance and requested assistance.

OUR RESULTS

To address the gaps, we completed the following remediation activities:

  • Established a centralized inventory tracking platform to track the hundreds of payment devices used and introduced regular checks for each device
  • Resolved security vulnerabilities found during Penetration Testing, such as system hardening and removing weak passwords
  • Terminated or altered processes that were deemed risky (e.g., eliminating the writing down of payment card data, changing the customer service call recording settings to stop recording when discussing payment data)
  • Implemented yearly mandatory PCI Awareness Training for all employees
  • Established written standards for new implementations of payment processes/applications

The healthcare system submitted the necessary compliance reports before the deadline, and the healthcare system was placed in good standing with PCI.

Drop Us A Line

  • Whether you would like to hear from a consultant, introduce yourself to our recruiting team, or stay up to date through our quarterly newsletter, we would love to hear from you. Click on one, two, or all three buttons below and fill out the information to tell us a little more about yourself and how we can help.
  • Purpose*
  • This field is for validation purposes and should be left unchanged.
Close Button